Introduction
Probably within the first few hours of starting your career in cyber security, you were already hunched over a screen, feverishly scanning a spreadsheet for clues. This sounds familiar because it is true and part of the daily process for most investigations. Spreadsheets are the bread and butter of cyber security. Within them are details of various processes and specific information extracted from valuable artifacts. In this cookbook, we will frequently output parsed artifact data into a spreadsheet due to its portability and ease of use. However, considering that at one time or another every cyber security professional has created a technical report for a nontechnical audience, a spreadsheet may not be the best option.
Why create reports at all? I think I've heard that muttered by stressed examiners before. Today, everything is built on information interchange and people want to know things as soon as you do. But that doesn't necessarily mean they want a technical spreadsheet and to figure it out themselves. Examiners must be able to effectively distill technical knowledge to laymen audiences in order to properly do their job. As good as an artifact may be, even if it is the proverbial smoking gun for a given case, it will likely require detailed explanation to nontechnical individuals for them to fully understand the meaning and ramifications. Give up; reports are here to stay and there's nothing that can be done about that.
In this chapter, you will learn how to create a number of different types of reports and a script to automatically audit our investigation. We will create HTML, XLSX, and CSV reports to summarize data in a meaningful manner:
- Developing an HTML dashboard template
- Parsing FTK Imager acquisition logs
- Building a robust CSV writer
- Plotting charts and data with Microsoft Excel
- Creating an audit trail of screenshots throughout an investigation